howdy, On Tue, Jan 14, 2014 at 12:16:53PM +0100, Thomas von Dein wrote:
- coordinate representation x, x&y, x and sign ... or bits to show which of these ... perhaps borrow ANSI method
Could you please explain this further?
i believe this is not really necessary for this type of curve. especially if we manage to switch to elligator curves soonish.
- hint / indication of cipher suite / curve
In pcp there's already such a hint included in exported keys, however I'm not using it, since there's no choice of different curves in libsodium so far. But it's on the list.
unfortunately pbp has such a distinguisher, it decides between asym/sym encryption. i should somehow get rid of that.
- text encoding of binary format (ascii)
As already stated in the other subthread, I use Z85, while stef is using base85. Since Z85 is a subset of base85, I'm pretty sure we can agree on something.
absolutely. i like small keys, that's why we do ecc, not RSA. as it allows to use crypto e.g. also in tweets, signed tweets leave you with ~55 chars for messages, or as we recently found out also in the comment field of bank wiretransfers. i wasn't really joking doing a numberstation style output format. the https://en.wikipedia.org/wiki/PGP_word_list might be quite good for easy human voice transmission, like in key parties. takes a bit of time reciting 32 words, but might be easier than reciting a pgp keyid.
I'm not sure, how stef solved the ed25519 issue (you can't use a curve25519 secret key to create an ed25519 signature directly). After some discussion on the libsodium mailinglist we came up with this:
When the user generates a new key, the ed25519 secret key will be generated first. The curve25519 secret will be derived from that, since the ed25519 already contains a usable curve25519 key. In pcp I store both of them for easier access, so the ed25519 and curve25519 secret and public keys are stored, the secret keys are encrypted and I store the nonce as well (see include/pcp/key.h).
pbp uses separate and unrelated keys for confidentiality and others for signing.
Speaking of key encryption: @stef: according to your docs you're already using scrypt() for key derivation. I'd like to use that as well, but it's not part of libsodium (afaik), so I use my own method for this til scrypt() is implemented in libsodium. That's because I want to avoid writing crypto code myself.
http://ftp.de.debian.org/debian/pool/main/s/scrypt/scrypt_1.1.6.orig.tar.gz seems like a good start for reusing code. -- pgp: https://www.ctrlc.hu/~stef/stef.gpg pgp fp: FD52 DABD 5224 7F9C 63C6 3C12 FC97 D29F CA05 57EF otr fp: https://www.ctrlc.hu/~stef/otr.txt